b'             OFFICE OF\n      THE INSPECTOR GENERAL\n\n SOCIAL SECURITY ADMINISTRATION\n\n\n         CONTRACTOR SECURITY\nOF THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n    HOMELAND SECURITY PRESIDENTIAL\n        DIRECTIVE 12 CREDENTIALS\n\n         June 2012   A-14-11-11106\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                         SOCIAL SECURITY\nMEMORANDUM\n\nDate:   June 1, 2012                                                                  Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Contractor Security of the Social Security Administration\xe2\x80\x99s Homeland Security\n        Presidential Directive 12 Credentials (A-14-11-11106)\n\n\n        OBJECTIVE\n        The objective of our review was to assess the Social Security Administration\xe2\x80\x99s (SSA)\n        contractor process for safeguarding Homeland Security Presidential Directive 12\n        (HSPD-12) 1 credentials and the personally identifiable information (PII) 2 contained on\n        them.\n\n        BACKGROUND\n        HSPD-12 defines a common identification standard for Federal employees and\n        contractors. HSPD-12 requires the development and implementation of a mandatory,\n        Government-wide standard for secure and reliable forms of identification issued by the\n        Federal agencies to their employees and contractors so that they can gain physical\n        access to federally controlled facilities or logical access to federally controlled\n        information systems. 3\n\n        OMB designated the General Services Administration (GSA) as the executive agent for\n        the Government-wide acquisition of information technology products and services\n        1\n         HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors,\n        August 27, 2004.\n        2\n          Office of Management and Budget (OMB) Memorandum M-06-19, Reporting Incidents Involving\n        Personally Identifiable Information and Incorporating the Cost for Security in Agency Information\n        Technology Investments, July 2006, page 1, defines PII as any information about an individual\n        maintained by an agency, including, but not limited to, education, financial transactions, medical history,\n        and criminal or employment history and information which can be used to distinguish or trace an\n        individual\'s identity, such as their name, Social Security number, date and place of birth, mother\'s maiden\n        name, biometric records, etc., including any other personal information that is linked or linkable to an\n        individual.\n        3\n            HSPD-12, supra.\n\x0cPage 2 - The Commissioner\n\n\nrequired to implement HSPD-12. 4 When developing blanket purchase agreements for\nHSPD-12 products and service acquisitions, GSA is to ensure all approved suppliers\nprovide products and services that meet all applicable Federal standards and\nrequirements. 5 Federal agencies and departments are encouraged to use the\nacquisition services GSA provides. 6\n\nAs the executive agent for HSPD-12 acquisitions, GSA develops a contractual\nrelationship with the supplier. Federal agencies develop and send Statements of Work\n(SoW) 7containing contract requirements to GSA. GSA uses the SoW as a contract to\nprocure the products and services on behalf of the Federal agencies.\n\nFor instance, SSA worked with GSA to contract with a company that provided security\nand identity solutions and services based on smart card technologies to create the\nHSPD-12 credentials. 8 GSA served as SSA\xe2\x80\x99s contracting officer for the contract the\nAgency used to acquire the HSPD-12 credentials. 9\n\nSSA required that the contractor produce the smart cards for SSA\xe2\x80\x99s credentials and\npersonalize the surface of the credential with the employee or contractor\xe2\x80\x99s full name and\nphotograph, card\xe2\x80\x99s expiration date, card\xe2\x80\x99s identification number, and issuer\xe2\x80\x99s\nidentification number. 10 The contractor created the credentials and delivered them to\nover 1,600 SSA locations nationwide. In the United States, the contractor has one\nfacility to manufacture the credentials and another facility to personalize them. (See\nAppendix C for detailed description of the credential creation process.)\n\n\n\n\n4\n OMB, M-05-24, Implementation of HSPD-12 -- Policy for a Common Identification Standard for Federal\nEmployees and Contractors, Attachment A \xc2\xa7 5.B, page 8 (August 5, 2005).\n5\n    Id.\n6\n    Id.\n7\n SSA\xe2\x80\x99s Project Resource Guide glossary defines SoW as a document that outlines the specific supplies\nand services the project team wants delivered by a prospective contractor. The content of the SoW\ndetermines the type of contract that is awarded, influences the number and quality of proposals received,\nand serves as a baseline against which to evaluate proposals, and later, contractor performance.\n8\n    GSA Contract Number GS03T09DSC6003, Solicitation Number R3093975, (June 11, 2009).\n9\n    Id.\n10\n     SoW, Social Security Administration, SSA PIV II Cards R3093975, Section 2.3.3, page 3.\n\x0cPage 3 - The Commissioner\n\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires that each\nFederal agency provide information security protections for \xe2\x80\x9c(i) information collected or\nmaintained by, or on behalf of, the agency and (ii) information systems used or operated\nby an agency or a contractor of an agency or other organization on behalf of an\nagency.\xe2\x80\x9d 11 Federal agencies must ensure their contractors comply with FISMA and\nrelated policy requirements 12 and include those requirements in contracts and grants. 13\nIn addition, HSPD-12 guidance 14 requires that Personal Identity Verification 15 (PIV)\nservice providers use systems that are certified 16 according to Federal security\nstandards, so all cards are issued by providers whose reliability has been appropriately\naccredited. Finally, OMB requires that agencies properly safeguard PII that is accessed\nremotely or physically transported outside an agency\xe2\x80\x99s secured, physical perimeter. 17\n\nTo achieve our objective, we reviewed the Agency\xe2\x80\x99s contract and visited two contractor\nsites to view the contractor\xe2\x80\x99s HSPD-12 credential production, personalization, and\npackaging and shipping processes.\n\n\n\n\n11\n  Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(a)(1)(A), 44 U.S.C. \xc2\xa7 3544(a)(1)(A). FISMA requires\nthat the head of each agency be responsible for providing protections commensurate with the risk and\nmagnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or\ndestruction of such information and systems.\n12\n  According to OMB M-11-33, FY 2011 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, Frequently Asked Questions, Question 38, page 14\n(September 14, 2011), Federal agencies must ensure their contractors abide by FISMA requirements.\n13\n     OMB, M-11-33, supra, Frequently Asked Questions, Question 41, page 17.\n14\n   According to Federal Information Processing Standards Publication (FIPS Pub.) 201-1, Personal\nIdentity Verification of Federal Employees and Contractors, March 2006, Appendix B, Section B.2, p. 64,\nto accomplish the accreditation of PIV service providers and meet compliance with OMB Circular A-130,\nApp. III, the Information Technology system(s) used by PIV service providers must be certified in\naccordance with NIST Special Publication (SP) 800-37, Guide for the Security Certification and\nAccreditation of Federal Information Systems.\n15\n  NIST, SP 800-79-1, Guidelines for the Accreditation of Personal Identity Verification Card Issuers,\nExecutive Summary, page 1, (June 2008), states that PIV specifications are to be used as a foundation\nfor securely identifying every individual seeking access to valuable and sensitive Federal resources,\nincluding buildings, information systems, and computer networks.\n16\n  NIST, SP 800-37 was revised to effectively include the certification and accreditation process as\nsecurity authorization. See NIST, SP 800-37, Revision 1, Guide for Applying the Risk Management\nFramework to Federal Information Systems: A Security Life Cycle Approach, pages B-1 and B-8\n(February 2010).\n17\n     OMB, M-06-16, Protection of Sensitive Agency Information (June 23, 2006).\n\x0cPage 4 - The Commissioner\n\n\nRESULTS OF REVIEW\nOur interviews and observations found nothing to indicate the contractor\xe2\x80\x99s HSPD-12\ncredential manufacturing and personalization process had any physical and logical\nsecurity control vulnerabilities 18 used to protect the HSPD-12 credentials and the PII\ncontained in them. However, we did identify two contractor oversight concerns and two\ncontract management issues that we want to bring to your attention.\n\n\xe2\x80\xa2    Contractor Oversight\n     o SSA did not ensure the contractor personnel received appropriate training to\n       safeguard Agency PII.\n     o The contractor\xe2\x80\x99s information systems were not certified and accredited, as\n       required by Federal guidance.\n\xe2\x80\xa2    Contract Management\n     o SSA\xe2\x80\x99s GSA contract did not contain all the appropriate security clauses.\n     o The contractor did not have a back-up facility in the United States, as required\n       by the contract.\nWe discussed the contract management issues with SSA management and GSA\xe2\x80\x99s\ncontracting officer. Based on our discussions, it is unclear which party is responsible for\nresolving these issues; therefore, we plan to submit our concerns to GSA\xe2\x80\x99s Office of\nInspector General in a separate memorandum.\n\nSSA DID NOT ENSURE CONTRACTOR PERSONNEL RECEIVED APPROPRIATE\nTRAINING TO SAFEGUARD AGENCY PII\n\nSSA did not ensure contractor personnel received appropriate training, such as user\nawareness training and training on safeguarding PII. During our review, we identified\nthree contractor personnel who had regular access to SSA files that contained PII.\nWhen asked, contractor personnel could not identify specific policy or procedures that\nshould be used in the event of a loss of PII.\n\nContractor personnel received security training when they are hired and annual\nrefresher training. However, the majority of the training was on physical security\ncontrols, not PII protection. Although SSA established policies and procedures for PII\nprotection, it did not ensure the contractor understood its responsibilities to safeguard\nPII. Without proper training on the Agency\xe2\x80\x99s policies and procedures, contractor\npersonnel will not be aware of the expected responsibilities to protect PII, which\nunnecessarily places SSA\xe2\x80\x99s data at a higher risk of harm.\n\n\n18\n  The physical control is the implementation of security measures in a defined structure used to deter or\nprevent unauthorized access to sensitive material. Examples of physical controls are security guards,\npicture identification, and locked/dead-bolted doors. Logical controls are tools used for identification,\nauthentication, authorization, and accountability in computer information systems.\n\x0cPage 5 - The Commissioner\n\n\nAgencies are fully responsible and accountable for ensuring all FISMA and related\npolicy requirements are implemented and reviewed with relation to contractor\nservices. 19 Agencies must ensure the contractor implements identical, not "equivalent,"\nsecurity procedures. 20 Furthermore, since SSA is a PIV card issuer, 21 it is responsible\nfor the management and oversight of contractor services. 22 Specifically, the Agency is\nresponsible for ensuring the contractor personnel receive appropriate training, such as\nuser awareness training and training on agency policy and procedures. 23\n\nCONTRACTOR\xe2\x80\x99S INFORMATION SYSTEMS WERE NOT CERTIFIED AND\nACCREDITED, AS REQUIRED BY FEDERAL GUIDANCE\n\nSSA did not perform a certification and accreditation (C&A) 24,25 review of the\ncontractor\xe2\x80\x99s information systems or obtain assurance from GSA or the contractor that an\nappropriate C&A had been performed, as required by NIST SP 800-79-1, Guidelines for\nthe Accreditation of Personal Identity Verification Card Issuers, 26 and FIPS Pub. 201-1,\nPersonal Identity Verification of Federal Employees and Contractors. 27\n\nAgency officials stated that GSA, as the executive agent appointed by OMB, provided a\ncertified list of vendors that met all Federal requirements. SSA has accepted this\ncertification and believes that the vendor has met all the needed FISMA requirements.\n\nIt was not apparent that the GSA certification also incorporated FISMA requirements.\nTo that end, we asked GSA whether it had performed a C&A review on the contractor\xe2\x80\x99s\nsystems as well as requested any related C&A documentation. To date, GSA has not\nprovided us any of the requested information.\n\n\n19\n     OMB, M-11-33, supra, Frequently Asked Questions, Question 40, pages 15 and 16.\n20\n     Id.\n21\n  According to NIST, SP 800-79-1, supra at page 8, PIV Card Issuer includes all functions required to\nproduce, issue, and maintain PIV Cards for an organization.\n22\n     NIST, SP 800-79-1, supra at \xc2\xa72.1, page 8.\n23\n     OMB, M-11-33, supra, Frequently Asked Questions, Question 40, pages 15 and 16.\n24\n     FIPS, Pub. 201-1, supra, at Appendix B, Section B.2, page 64.\n25\n   NIST, SP 800-37, Revision 1, supra at pp. B-1 and B-8, defines the security authorization as \xe2\x80\x9cThe\nofficial management decision given by a senior organizational official to authorize operation of an\ninformation system and to explicitly accept the risk to organizational operations (including mission,\nfunctions, image, or reputation), organizational assets, individuals, other organizations, and the Nation\nbased on the implementation of an agreed-upon set of security controls.\xe2\x80\x9d\n26\n NIST SP 800-79-1 states PIV Card Issuer information systems are certified in accordance with NIST\nSP 800-37, Appendix G, page 66.\n27\n     FIPS, Pub. 201-1, supra, at Appendix B, section B.2, page 64. Also, see Footnote 13.\n\x0cPage 6 - The Commissioner\n\n\nFISMA requires that agencies ensure contractors handling Federal information or\noperating information systems on the Government\xe2\x80\x99s behalf meet the same security\nrequirements as Federal agencies. 28 OMB requires that agencies obtain sufficient\nassurance that security controls over contractor systems are effectively implemented\nand comply with Federal and agency guidelines. 29\n\nThe Agency is responsible for ensuring the contractor\xe2\x80\x99s information systems meet\nFederal security requirements. Therefore, SSA should have obtained evidence of a\nproper C&A review from GSA or the contractor.\n\nAs a result of SSA not obtaining the aforementioned evidence, the Agency may not\nhave been fully aware of the contractor\xe2\x80\x99s risks and whether effective security controls\nwere implemented at the contractor\xe2\x80\x99s facility. During our discussions with the contractor\npersonnel, they stated the company had conducted periodic security reviews to meet\nother client\xe2\x80\x99s security requirements.\n\nWe requested the contractor provide security requirements it deploys when providing\nsimilar services to other clients. Our goal was to compare those requirements to\nFederal security standards; however, the contractor could not provide this\ndocumentation because of non-disclosure agreements with other clients. Instead, the\ncontractor provided documentation that demonstrated how it met the clients\xe2\x80\x99 security\nrequirements for the past 2 years. Although it appears the contractor met its other\nclients\xe2\x80\x99 security requirements, we were unable to determine whether the security\nmeasures deployed by the contractor met Federal security standards. It should be\nnoted that the contractor\xe2\x80\x99s services to other clients involve sensitive personal\ninformation similar to that of SSA.\n\nWe recommend SSA request documentation from GSA that the contractor\xe2\x80\x99s information\nsystems are certified and accredited as required by Federal requirements. However, if\nGSA did not perform a C&A review of the contractor\xe2\x80\x99s information systems, SSA should\nseek guidance from OMB to determine which agency is responsible for conducting this\nreview of the contractor\xe2\x80\x99s information systems.\n\n\n\n\n28\n  Pub. L. No. 107-347, Title III, Section 301 \xc2\xa73544(a)(1)(A)(ii). Also, see OMB, M-11-33, supra,\nFrequently Asked Questions, Question 40, page 16.\n29\n   Department of Homeland Security (DHS), FY 2011 Inspector General Federal Information Security\nManagement Act Reporting , Version 1.0, question 10.a(2) (June 1, 2011). In July 2010, DHS began\nexercising primary responsibility within the executive branch for the operational aspects of Federal\ncybersecurity with respect to the Federal information systems that fall within FISMA under 44 U.S.C.\n\xc2\xa7 3543. DHS provided Fiscal Year (FY) 2011 FISMA reporting instructions to Federal Chief Information\nOfficers, Inspectors General, and Senior Agency Officials for Privacy. OMB, M-10-28, Clarifying\nCybersecurity Responsibilities and Activities of the Executive Office of the President and the Department\nof Homeland Security, pages 1 and 2, July 6, 2010. Also, see M-11-33, supra, page 1.\n\x0cPage 7 - The Commissioner\n\n\nCONCLUSION AND RECOMMENDATIONS\nBased on our interviews and observations, nothing came to our attention that indicated\nthe contractor\xe2\x80\x99s card manufacturing and personalization process had any vulnerability in\nits physical and logical security controls used to protect the HSPD-12 credentials and\nthe PII contained on them. However, we did identify some management oversight\nconcerns that we wanted to bring to your attention to help ensure the continued security\nof the Agency\xe2\x80\x99s HSPD-12 credentials. Because of these concerns, we recommend\nSSA:\n\n1. Ensure contractor personnel receive appropriate training on Agency\xe2\x80\x99s policies and\n   procedures for safeguarding PII.\n2. Request documentation from GSA that the contractor\xe2\x80\x99s information systems are\n   certified and accredited as required by Federal requirements. However, if GSA did\n   not perform a C&A review of the contractor\xe2\x80\x99s information systems, SSA should seek\n   guidance from OMB to determine which agency is responsible for conducting this\n   review on the contractor\xe2\x80\x99s information systems.\n\nAGENCY COMMENTS AND OIG RESPONSE\nSSA agreed with our recommendations. See Appendix D for the Agency\xe2\x80\x99s comments.\n\n\n\n\n                                        Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Homeland Security Presidential Directive 12 Creation Process\nAPPENDIX D \xe2\x80\x93 Agency Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                     Appendix A\n\nAcronyms\nC&A           Certification and Accreditation\nDHS           Department of Homeland Security\nFIPS PUB.     Federal Information Processing Standards Publication\nFISMA         Federal Information Security Management Act of 2002\nFY            Fiscal Year\nGSA           General Services Administration\nHSPD-12       Homeland Security Presidential Directive 12\nNIST          National Institute of Standards and Technology\nOMB           Office of Management and Budget\nPII           Personally Identifiable Information\nPIV           Personal Identity Verification\nPub. L. No.   Public Law Number\nSoW           Statement of Work\nSP            Special Publication\nSSA           Social Security Administration\nU.S.C.        United States Code\n\x0c                                                                                     Appendix B\n\nScope and Methodology\nTo meet the objectives of our review, we performed the following procedures.\n\n1. Reviewed the General Service Administration\xe2\x80\x99s contract document (Contract\n   Number GS03T09DSC6003), Statement of Work, Social Security Administration,\n   SSA PIV II Cards, R3093975 to determine whether the Social Security\n   Administration (SSA) included all appropriate security and contract clauses in the\n   contract.\n2. Observed SSA\xe2\x80\x99s process for transferring Agency employee and contractor\n   personally identifiable information (PII) 1 to the contractor\xe2\x80\x99s system to determine\n   whether the transfer complied with SSA and Federal requirements.\n3. Conducted on-site visits of the contractor\xe2\x80\x99s Homeland Security Presidential\n   Directive 12 (HSPD-12) credentials production, personalization, and packaging and\n   shipping processes at two contractor sites. We observed the creation of the HSPD-\n   12 credentials and observed the contractor\xe2\x80\x99s physical and logical security controls\n   implemented to protect SSA\xe2\x80\x99s credentials. We visited two of the contractor\xe2\x80\x99s\n   facilities: the manufacturing site and the personalization facility in the United States.\n   No testing of the contractor\xe2\x80\x99s physical and logical security controls was performed.\n4. Compared and assessed the contractor\xe2\x80\x99s process to safeguard PII to relevant\n   Federal laws, regulations, standards, and guidelines.\nWe also reviewed the following.\n\n\xe2\x80\xa2   The Privacy Act of 1974, as amended, 5 U.S.C. 552a;\n\xe2\x80\xa2   The Federal Information Security Management Act of 2002; 44 U.S.C. 3541 et seq.;\n\xe2\x80\xa2   Office Management and Budget (OMB) Memorandum M-05-24, Implementation of\n    HSPD-12--Policy for a Common Identification Standard for Federal Employees and\n    Contractors, August 5, 2005; Attachment B HSPD-12, Policy for a Common\n    Identification Standard for Federal Employees and Contractors, August 27, 2004;\n\xe2\x80\xa2   OMB, M-11-33, FY 2011 Reporting Instructions for the Federal Information Security\n    Management Act and Agency Privacy Management, September 14, 2011;\n\n\n1\n  OMB, Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and\nIncorporating the Cost for Security in Agency Information Technology Investments, July 2006, page 1,\ndefines PII as any information about an individual maintained by an agency, including, but not limited to,\neducation, financial transactions, medical history, and criminal or employment history and information\nwhich can be used to distinguish or trace an individual\'s identity, such as their name, social security\nnumber, date and place of birth, mother\'s maiden name, biometric records, etc., including any other\npersonal information which is linked or linkable to an individual.\n\n                                                    B-1\n\x0c\xe2\x80\xa2   OMB, M-07-16, Safeguarding Against and Responding to the Breach of Personally\n    Identifiable Information, May 22, 2007;\n\xe2\x80\xa2   OMB, M-06-16, Protection of Sensitive Agency Information, June 23, 2006;\n\xe2\x80\xa2   OMB, M-03-22, Office of Management and Budget Guidance for Implementing the\n    Privacy Provisions of the E-Government Act of 2002, September 26, 2003;\n\xe2\x80\xa2   General Services Administration Federal Supply Service Memorandum, Acquisition\n    of Products and Services for Implementation of HSPD-12, August 10, 2005;\n\xe2\x80\xa2   OMB Circular A-130, Management of Federal Information Resources, Appendix III,\n    Security of Federal Automated Information Resources, February 8, 1996;\n\xe2\x80\xa2   Federal Information Processing Standards Publication 201-1, Personal Identity\n    Verification of Federal Employees and Contractors, March 2006;\n\xe2\x80\xa2   National Institute of Standards and Technology (NIST) Special Publication (SP) 800-\n    53, Revision 3, Recommended Security Controls of Federal Information Systems\n    and Organizations, August 2009;\n\xe2\x80\xa2   NIST, SP 800-79-1, Guidelines for the Accreditation of Personal Identity Verification\n    Card Issuers, June 2008;\n\xe2\x80\xa2   NIST, SP 800-122, Guide to Protecting the Confidentiality of PII, April 2010; and\n\xe2\x80\xa2   NIST, SP 800-37, Revision 1, Guide for Applying the Risk Management Framework\n    to Federal Information Systems, February 2010.\n\nWe performed our fieldwork at SSA\xe2\x80\x99s contractor facilities and Headquarters from June\nthrough September 2011. We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\n                                           B-2\n\x0c                                                                                      Appendix C\n\nHomeland Security Presidential Directive -12\nCreation Process\nAs part of the credential creation process, the Social Security Administration (SSA)\nelectronically transmits data files 1 containing personally identifiable information to the\ncontractor. The data files are transmitted through an encrypted channel. 2 Once the\ncontractor receives the data files, the pre-manufactured credential is personalized. In\nturn, the contractor ships the credentials via Federal Express to SSA. Once received,\nSSA adds additional information 3 to the credential before issuing it to the appropriate\nemployee or contractor. See the diagram below.\n\n\n\n\n1\n The files contain SSA employee or contractor\xe2\x80\x99s first name, middle initial, last name, card expiration date,\nagency affiliation, and photograph.\n2\n SSA used Secure Shell to interact with the contractor\xe2\x80\x99s card production system. Secure Shell provides\na secure data communication between two networked computers that connects through a secure\nchannel.\n3\n    SSA downloads electronic certificates for authentication purposes onto the credentials.\n\x0c                  Appendix D\n\n\nAgency Comments\n\x0c                                       SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:   May 24, 2012                                                             Refer To: S1J-3\n\nTo:     Patrick P. O\xe2\x80\x99Carroll, Jr.\n        Inspector General\n\nFrom:   Dean S. Landis /s/\n        Deputy Chief of Staff\n\nSubject: Office of the Inspector General Draft Report, \xe2\x80\x9cContractor Security of the Social Security\n        Administration\xe2\x80\x99s Homeland Security Presidential Directive 12 Credentials\xe2\x80\x9d\n        (A-14-11-11106)\xe2\x80\x94INFORMATION\n\n        Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n        Please let me know if we can be of further assistance. You may direct staff inquiries to\n        Amy Thompson at (410) 966-0569.\n\n        Attachment\n\n\n\n\n                                                       D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cCONTRACTOR SECURITY OF THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nHOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12 CREDENTIALS\xe2\x80\x9d\n(A-14-11-11106)\n\n\nRecommendation 1\n\nEnsure contractor personnel receive appropriate training on Agency\xe2\x80\x99s policies and procedures for\nsafeguarding PII.\n\nResponse\n\nWe agree. We will provide the contractor with appropriate policies and training materials on\nsafeguarding personally identifiable information.\n\nRecommendation 2\n\nRequest documentation from GSA that the contractor\xe2\x80\x99s information systems are certified and\naccredited as required by Federal requirements. However, if GSA did not perform a C & A\nreview of the contractor\xe2\x80\x99s information systems, SSA should seek guidance from OMB to\ndetermine which agency is responsible for conducting this review on the contractor\xe2\x80\x99s information\nsystems.\n\nResponse\n\nWe agree.\n\n\n\n\n                                              D-2\n\x0c                                                                         Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Brian Karpe, Director, Information Technology Audit Division\n\n   Grace Chi, Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Tina Nevels, Auditor\n\n\nFor additional copies of this report, please visit our Website at http://oig.ssa.gov/ or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Staff at (410) 965-4518.\nRefer to Common Identification Number A-14-11-11106.\n\x0c                                 DISTRIBUTION SCHEDULE\n\n\nCommissioner of Social Security\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government Reform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions and\nFamily Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'